Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Driver Vulnerabilities Facilitate Attacks on ATMs, PoS Systems

Driver vulnerabilities can facilitate attacks on ATMs, point-of-sale (PoS) systems and other devices, firmware security company Eclypsium warned on Monday.

Driver vulnerabilities can facilitate attacks on ATMs, point-of-sale (PoS) systems and other devices, firmware security company Eclypsium warned on Monday.

Eclypsium last year analyzed device drivers from major vendors and found that over 40 drivers made by 20 companies contained serious vulnerabilities that could be exploited to deploy persistent malware.

The firm now warns that the Windows drivers used in ATMs and PoS devices can be highly useful to threat actors targeting these types of systems.Device driver vulnerabilities

A significant number of ATM malware families emerged over the past years, including the ones known as Skimer, Alice, CUTLET MAKER, Ploutus, Tyupkin, ATMJackpot, Suceful, RIPPER, WinPot, PRILEX, ATMii and GreenDispenser. Many of these pieces of malware allow their operators to conduct so-called “jackpotting” attacks, where the attacker instructs the targeted ATM to dispense cash.

According to Eclypsium, vulnerabilities affecting the drivers running on ATMs or PoS devices could allow attackers to escalate privileges and gain “deeper access” into the targeted system.

“By taking advantage of the functionality in insecure drivers, attackers or their malware can gain new privileges, access information, and ultimately steal money or customer data,” Eclypsium explained.

As an example, the security firm described a vulnerability found by its researchers in a driver present on Diebold Nixdorf ATMs. The driver in question provides access to x86 I/O ports, which is fairly limited in terms of functionality compared to other drivers. Nevertheless, a driver that provides arbitrary access to I/O ports can be useful in the initial phases of an attack, as it could allow the attacker to obtain access to PCI-connected devices, including external devices and the SPI controller, which provides access to the system firmware.

“What ‘PCI access’ means is that software would be able to communicate with PCI devices and as a result use them,” Mickey Shkatov, principal researcher at Eclypsium, told SecurityWeek. “Consider the following flow as an example: software uses the driver to perform I/O operations that translate to legacy PCI access, then the software uses that PCI access to direct a device to perform actions.”

“The Intel SPI controller is such a device that in turn can read/write to the system firmware on the on-board non-volatile memory. By gaining arbitrary access to the I/O ports, an attacker could potentially gain arbitrary PCI access, which in turn could allow the attacker to target data to and from PCI-connected devices,” Shkatov explained.

Eclypsium also pointed out that in the case of the driver used by Diebold Nixdorf, it could allow an attacker to install a bootkit on the targeted device as the driver is also leveraged to update the BIOS firmware.

The vulnerability was reported to the vendor, which released patches earlier this year. On the other hand, these types of security flaws can pose a risk for an extended period of time as it typically takes the manufacturers of highly regulated devices much longer to release patches due to compliance requirements. For instance, in this case, Eclypsium says its research was completed in May 2019, but it could not disclose its findings until now.

Moreover, it can take a lot of time for the updates to reach all end devices, which often still run outdated operating systems, such as Windows XP and Windows 7.

Eclypsium believes there are likely many other vulnerable drivers that expose ATMs to attacks and they could be affected by even more serious security holes.

Related: Peripherals With Unsigned Firmware Expose Windows, Linux Computers to Attacks

Related: France Says Breaks Up International ATM ‘Jackpotting’ Network

Related: ATM Maker Diebold Nixdorf Hit by Ransomware

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.